fa540381c6f12e407a8f14a9227ae4f9ae89beb72845c23f21843ac60f733a58

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
10/08/2024, 03:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-08-10_4117d21ca0c4a3bdf3b46c293a312910_goldeneye.exe
Size

380KB
MD5

4117d21ca0c4a3bdf3b46c293a312910
SHA1

60d8e9cbb09e00623ab19ec43880a5b6fdf25e2d
SHA256

fa540381c6f12e407a8f14a9227ae4f9ae89beb72845c23f21843ac60f733a58
SHA512

6ecb1c63da7b4151277666234a411330da80b48dcd61d4592ab751be92dcf35f4bce8beff691d815b76a120383e309d60af1c6fe13325522f15545a629dd92fd
SSDEEP

3072:mEGh0odlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEGPl7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5512EF6-9E82-469b-B538-FFDD66866AC2}	{20F9410F-C95A-4437-86C9-0BD593CCEFCF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{72183D55-91A6-480c-A01D-31275CC5E8B9}	2024-08-10_4117d21ca0c4a3bdf3b46c293a312910_goldeneye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79902250-8758-40ae-A4C0-24E5A47605F6}\stubpath = "C:\\Windows\\{79902250-8758-40ae-A4C0-24E5A47605F6}.exe"	{5F302518-FB5C-4497-8CD3-0C96BF478078}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{20F9410F-C95A-4437-86C9-0BD593CCEFCF}\stubpath = "C:\\Windows\\{20F9410F-C95A-4437-86C9-0BD593CCEFCF}.exe"	{79902250-8758-40ae-A4C0-24E5A47605F6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F302518-FB5C-4497-8CD3-0C96BF478078}	{884927FB-BDCB-453c-8C30-208671463047}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{79902250-8758-40ae-A4C0-24E5A47605F6}	{5F302518-FB5C-4497-8CD3-0C96BF478078}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB63E80B-B4D4-4339-9258-C1E1C484237A}	{72183D55-91A6-480c-A01D-31275CC5E8B9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB63E80B-B4D4-4339-9258-C1E1C484237A}\stubpath = "C:\\Windows\\{FB63E80B-B4D4-4339-9258-C1E1C484237A}.exe"	{72183D55-91A6-480c-A01D-31275CC5E8B9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{884927FB-BDCB-453c-8C30-208671463047}\stubpath = "C:\\Windows\\{884927FB-BDCB-453c-8C30-208671463047}.exe"	{57536F19-E81E-4e66-92E6-040EC0E22222}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{73207BEC-C7F4-42d7-87E5-064C9EBBEB98}\stubpath = "C:\\Windows\\{73207BEC-C7F4-42d7-87E5-064C9EBBEB98}.exe"	{A5512EF6-9E82-469b-B538-FFDD66866AC2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B71F426-8923-4756-BF9C-306DA9A8FF05}\stubpath = "C:\\Windows\\{6B71F426-8923-4756-BF9C-306DA9A8FF05}.exe"	{73207BEC-C7F4-42d7-87E5-064C9EBBEB98}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F07866C-93F6-46e6-A229-68A60C705473}\stubpath = "C:\\Windows\\{2F07866C-93F6-46e6-A229-68A60C705473}.exe"	{6B71F426-8923-4756-BF9C-306DA9A8FF05}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57536F19-E81E-4e66-92E6-040EC0E22222}\stubpath = "C:\\Windows\\{57536F19-E81E-4e66-92E6-040EC0E22222}.exe"	{FB63E80B-B4D4-4339-9258-C1E1C484237A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5512EF6-9E82-469b-B538-FFDD66866AC2}\stubpath = "C:\\Windows\\{A5512EF6-9E82-469b-B538-FFDD66866AC2}.exe"	{20F9410F-C95A-4437-86C9-0BD593CCEFCF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{73207BEC-C7F4-42d7-87E5-064C9EBBEB98}	{A5512EF6-9E82-469b-B538-FFDD66866AC2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F302518-FB5C-4497-8CD3-0C96BF478078}\stubpath = "C:\\Windows\\{5F302518-FB5C-4497-8CD3-0C96BF478078}.exe"	{884927FB-BDCB-453c-8C30-208671463047}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{20F9410F-C95A-4437-86C9-0BD593CCEFCF}	{79902250-8758-40ae-A4C0-24E5A47605F6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B71F426-8923-4756-BF9C-306DA9A8FF05}	{73207BEC-C7F4-42d7-87E5-064C9EBBEB98}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F07866C-93F6-46e6-A229-68A60C705473}	{6B71F426-8923-4756-BF9C-306DA9A8FF05}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{72183D55-91A6-480c-A01D-31275CC5E8B9}\stubpath = "C:\\Windows\\{72183D55-91A6-480c-A01D-31275CC5E8B9}.exe"	2024-08-10_4117d21ca0c4a3bdf3b46c293a312910_goldeneye.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57536F19-E81E-4e66-92E6-040EC0E22222}	{FB63E80B-B4D4-4339-9258-C1E1C484237A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{884927FB-BDCB-453c-8C30-208671463047}	{57536F19-E81E-4e66-92E6-040EC0E22222}.exe

Deletes itself 1 IoCs

pid	Process
2912	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2484	{72183D55-91A6-480c-A01D-31275CC5E8B9}.exe
2808	{FB63E80B-B4D4-4339-9258-C1E1C484237A}.exe
2760	{57536F19-E81E-4e66-92E6-040EC0E22222}.exe
2648	{884927FB-BDCB-453c-8C30-208671463047}.exe
2652	{5F302518-FB5C-4497-8CD3-0C96BF478078}.exe
2856	{79902250-8758-40ae-A4C0-24E5A47605F6}.exe
2916	{20F9410F-C95A-4437-86C9-0BD593CCEFCF}.exe
2508	{A5512EF6-9E82-469b-B538-FFDD66866AC2}.exe
3056	{73207BEC-C7F4-42d7-87E5-064C9EBBEB98}.exe
1976	{6B71F426-8923-4756-BF9C-306DA9A8FF05}.exe
408	{2F07866C-93F6-46e6-A229-68A60C705473}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{5F302518-FB5C-4497-8CD3-0C96BF478078}.exe	{884927FB-BDCB-453c-8C30-208671463047}.exe
File created	C:\Windows\{79902250-8758-40ae-A4C0-24E5A47605F6}.exe	{5F302518-FB5C-4497-8CD3-0C96BF478078}.exe
File created	C:\Windows\{FB63E80B-B4D4-4339-9258-C1E1C484237A}.exe	{72183D55-91A6-480c-A01D-31275CC5E8B9}.exe
File created	C:\Windows\{884927FB-BDCB-453c-8C30-208671463047}.exe	{57536F19-E81E-4e66-92E6-040EC0E22222}.exe
File created	C:\Windows\{20F9410F-C95A-4437-86C9-0BD593CCEFCF}.exe	{79902250-8758-40ae-A4C0-24E5A47605F6}.exe
File created	C:\Windows\{A5512EF6-9E82-469b-B538-FFDD66866AC2}.exe	{20F9410F-C95A-4437-86C9-0BD593CCEFCF}.exe
File created	C:\Windows\{73207BEC-C7F4-42d7-87E5-064C9EBBEB98}.exe	{A5512EF6-9E82-469b-B538-FFDD66866AC2}.exe
File created	C:\Windows\{6B71F426-8923-4756-BF9C-306DA9A8FF05}.exe	{73207BEC-C7F4-42d7-87E5-064C9EBBEB98}.exe
File created	C:\Windows\{2F07866C-93F6-46e6-A229-68A60C705473}.exe	{6B71F426-8923-4756-BF9C-306DA9A8FF05}.exe
File created	C:\Windows\{72183D55-91A6-480c-A01D-31275CC5E8B9}.exe	2024-08-10_4117d21ca0c4a3bdf3b46c293a312910_goldeneye.exe
File created	C:\Windows\{57536F19-E81E-4e66-92E6-040EC0E22222}.exe	{FB63E80B-B4D4-4339-9258-C1E1C484237A}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{72183D55-91A6-480c-A01D-31275CC5E8B9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{884927FB-BDCB-453c-8C30-208671463047}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5F302518-FB5C-4497-8CD3-0C96BF478078}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A5512EF6-9E82-469b-B538-FFDD66866AC2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-10_4117d21ca0c4a3bdf3b46c293a312910_goldeneye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{57536F19-E81E-4e66-92E6-040EC0E22222}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{79902250-8758-40ae-A4C0-24E5A47605F6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{20F9410F-C95A-4437-86C9-0BD593CCEFCF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6B71F426-8923-4756-BF9C-306DA9A8FF05}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FB63E80B-B4D4-4339-9258-C1E1C484237A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{73207BEC-C7F4-42d7-87E5-064C9EBBEB98}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2F07866C-93F6-46e6-A229-68A60C705473}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1316	2024-08-10_4117d21ca0c4a3bdf3b46c293a312910_goldeneye.exe
Token: SeIncBasePriorityPrivilege	2484	{72183D55-91A6-480c-A01D-31275CC5E8B9}.exe
Token: SeIncBasePriorityPrivilege	2808	{FB63E80B-B4D4-4339-9258-C1E1C484237A}.exe
Token: SeIncBasePriorityPrivilege	2760	{57536F19-E81E-4e66-92E6-040EC0E22222}.exe
Token: SeIncBasePriorityPrivilege	2648	{884927FB-BDCB-453c-8C30-208671463047}.exe
Token: SeIncBasePriorityPrivilege	2652	{5F302518-FB5C-4497-8CD3-0C96BF478078}.exe
Token: SeIncBasePriorityPrivilege	2856	{79902250-8758-40ae-A4C0-24E5A47605F6}.exe
Token: SeIncBasePriorityPrivilege	2916	{20F9410F-C95A-4437-86C9-0BD593CCEFCF}.exe
Token: SeIncBasePriorityPrivilege	2508	{A5512EF6-9E82-469b-B538-FFDD66866AC2}.exe
Token: SeIncBasePriorityPrivilege	3056	{73207BEC-C7F4-42d7-87E5-064C9EBBEB98}.exe
Token: SeIncBasePriorityPrivilege	1976	{6B71F426-8923-4756-BF9C-306DA9A8FF05}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1316 wrote to memory of 2484	1316	2024-08-10_4117d21ca0c4a3bdf3b46c293a312910_goldeneye.exe	31
PID 1316 wrote to memory of 2484	1316	2024-08-10_4117d21ca0c4a3bdf3b46c293a312910_goldeneye.exe	31
PID 1316 wrote to memory of 2484	1316	2024-08-10_4117d21ca0c4a3bdf3b46c293a312910_goldeneye.exe	31
PID 1316 wrote to memory of 2484	1316	2024-08-10_4117d21ca0c4a3bdf3b46c293a312910_goldeneye.exe	31
PID 1316 wrote to memory of 2912	1316	2024-08-10_4117d21ca0c4a3bdf3b46c293a312910_goldeneye.exe	32
PID 1316 wrote to memory of 2912	1316	2024-08-10_4117d21ca0c4a3bdf3b46c293a312910_goldeneye.exe	32
PID 1316 wrote to memory of 2912	1316	2024-08-10_4117d21ca0c4a3bdf3b46c293a312910_goldeneye.exe	32
PID 1316 wrote to memory of 2912	1316	2024-08-10_4117d21ca0c4a3bdf3b46c293a312910_goldeneye.exe	32
PID 2484 wrote to memory of 2808	2484	{72183D55-91A6-480c-A01D-31275CC5E8B9}.exe	33
PID 2484 wrote to memory of 2808	2484	{72183D55-91A6-480c-A01D-31275CC5E8B9}.exe	33
PID 2484 wrote to memory of 2808	2484	{72183D55-91A6-480c-A01D-31275CC5E8B9}.exe	33
PID 2484 wrote to memory of 2808	2484	{72183D55-91A6-480c-A01D-31275CC5E8B9}.exe	33
PID 2484 wrote to memory of 3016	2484	{72183D55-91A6-480c-A01D-31275CC5E8B9}.exe	34
PID 2484 wrote to memory of 3016	2484	{72183D55-91A6-480c-A01D-31275CC5E8B9}.exe	34
PID 2484 wrote to memory of 3016	2484	{72183D55-91A6-480c-A01D-31275CC5E8B9}.exe	34
PID 2484 wrote to memory of 3016	2484	{72183D55-91A6-480c-A01D-31275CC5E8B9}.exe	34
PID 2808 wrote to memory of 2760	2808	{FB63E80B-B4D4-4339-9258-C1E1C484237A}.exe	35
PID 2808 wrote to memory of 2760	2808	{FB63E80B-B4D4-4339-9258-C1E1C484237A}.exe	35
PID 2808 wrote to memory of 2760	2808	{FB63E80B-B4D4-4339-9258-C1E1C484237A}.exe	35
PID 2808 wrote to memory of 2760	2808	{FB63E80B-B4D4-4339-9258-C1E1C484237A}.exe	35
PID 2808 wrote to memory of 2792	2808	{FB63E80B-B4D4-4339-9258-C1E1C484237A}.exe	36
PID 2808 wrote to memory of 2792	2808	{FB63E80B-B4D4-4339-9258-C1E1C484237A}.exe	36
PID 2808 wrote to memory of 2792	2808	{FB63E80B-B4D4-4339-9258-C1E1C484237A}.exe	36
PID 2808 wrote to memory of 2792	2808	{FB63E80B-B4D4-4339-9258-C1E1C484237A}.exe	36
PID 2760 wrote to memory of 2648	2760	{57536F19-E81E-4e66-92E6-040EC0E22222}.exe	37
PID 2760 wrote to memory of 2648	2760	{57536F19-E81E-4e66-92E6-040EC0E22222}.exe	37
PID 2760 wrote to memory of 2648	2760	{57536F19-E81E-4e66-92E6-040EC0E22222}.exe	37
PID 2760 wrote to memory of 2648	2760	{57536F19-E81E-4e66-92E6-040EC0E22222}.exe	37
PID 2760 wrote to memory of 2596	2760	{57536F19-E81E-4e66-92E6-040EC0E22222}.exe	38
PID 2760 wrote to memory of 2596	2760	{57536F19-E81E-4e66-92E6-040EC0E22222}.exe	38
PID 2760 wrote to memory of 2596	2760	{57536F19-E81E-4e66-92E6-040EC0E22222}.exe	38
PID 2760 wrote to memory of 2596	2760	{57536F19-E81E-4e66-92E6-040EC0E22222}.exe	38
PID 2648 wrote to memory of 2652	2648	{884927FB-BDCB-453c-8C30-208671463047}.exe	39
PID 2648 wrote to memory of 2652	2648	{884927FB-BDCB-453c-8C30-208671463047}.exe	39
PID 2648 wrote to memory of 2652	2648	{884927FB-BDCB-453c-8C30-208671463047}.exe	39
PID 2648 wrote to memory of 2652	2648	{884927FB-BDCB-453c-8C30-208671463047}.exe	39
PID 2648 wrote to memory of 2340	2648	{884927FB-BDCB-453c-8C30-208671463047}.exe	40
PID 2648 wrote to memory of 2340	2648	{884927FB-BDCB-453c-8C30-208671463047}.exe	40
PID 2648 wrote to memory of 2340	2648	{884927FB-BDCB-453c-8C30-208671463047}.exe	40
PID 2648 wrote to memory of 2340	2648	{884927FB-BDCB-453c-8C30-208671463047}.exe	40
PID 2652 wrote to memory of 2856	2652	{5F302518-FB5C-4497-8CD3-0C96BF478078}.exe	41
PID 2652 wrote to memory of 2856	2652	{5F302518-FB5C-4497-8CD3-0C96BF478078}.exe	41
PID 2652 wrote to memory of 2856	2652	{5F302518-FB5C-4497-8CD3-0C96BF478078}.exe	41
PID 2652 wrote to memory of 2856	2652	{5F302518-FB5C-4497-8CD3-0C96BF478078}.exe	41
PID 2652 wrote to memory of 284	2652	{5F302518-FB5C-4497-8CD3-0C96BF478078}.exe	42
PID 2652 wrote to memory of 284	2652	{5F302518-FB5C-4497-8CD3-0C96BF478078}.exe	42
PID 2652 wrote to memory of 284	2652	{5F302518-FB5C-4497-8CD3-0C96BF478078}.exe	42
PID 2652 wrote to memory of 284	2652	{5F302518-FB5C-4497-8CD3-0C96BF478078}.exe	42
PID 2856 wrote to memory of 2916	2856	{79902250-8758-40ae-A4C0-24E5A47605F6}.exe	43
PID 2856 wrote to memory of 2916	2856	{79902250-8758-40ae-A4C0-24E5A47605F6}.exe	43
PID 2856 wrote to memory of 2916	2856	{79902250-8758-40ae-A4C0-24E5A47605F6}.exe	43
PID 2856 wrote to memory of 2916	2856	{79902250-8758-40ae-A4C0-24E5A47605F6}.exe	43
PID 2856 wrote to memory of 1664	2856	{79902250-8758-40ae-A4C0-24E5A47605F6}.exe	44
PID 2856 wrote to memory of 1664	2856	{79902250-8758-40ae-A4C0-24E5A47605F6}.exe	44
PID 2856 wrote to memory of 1664	2856	{79902250-8758-40ae-A4C0-24E5A47605F6}.exe	44
PID 2856 wrote to memory of 1664	2856	{79902250-8758-40ae-A4C0-24E5A47605F6}.exe	44
PID 2916 wrote to memory of 2508	2916	{20F9410F-C95A-4437-86C9-0BD593CCEFCF}.exe	45
PID 2916 wrote to memory of 2508	2916	{20F9410F-C95A-4437-86C9-0BD593CCEFCF}.exe	45
PID 2916 wrote to memory of 2508	2916	{20F9410F-C95A-4437-86C9-0BD593CCEFCF}.exe	45
PID 2916 wrote to memory of 2508	2916	{20F9410F-C95A-4437-86C9-0BD593CCEFCF}.exe	45
PID 2916 wrote to memory of 344	2916	{20F9410F-C95A-4437-86C9-0BD593CCEFCF}.exe	46
PID 2916 wrote to memory of 344	2916	{20F9410F-C95A-4437-86C9-0BD593CCEFCF}.exe	46
PID 2916 wrote to memory of 344	2916	{20F9410F-C95A-4437-86C9-0BD593CCEFCF}.exe	46
PID 2916 wrote to memory of 344	2916	{20F9410F-C95A-4437-86C9-0BD593CCEFCF}.exe	46

C:\Users\Admin\AppData\Local\Temp\2024-08-10_4117d21ca0c4a3bdf3b46c293a312910_goldeneye.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-10_4117d21ca0c4a3bdf3b46c293a312910_goldeneye.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1316
- C:\Windows\{72183D55-91A6-480c-A01D-31275CC5E8B9}.exe
  C:\Windows\{72183D55-91A6-480c-A01D-31275CC5E8B9}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2484
- - C:\Windows\{FB63E80B-B4D4-4339-9258-C1E1C484237A}.exe
    C:\Windows\{FB63E80B-B4D4-4339-9258-C1E1C484237A}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2808
  - - C:\Windows\{57536F19-E81E-4e66-92E6-040EC0E22222}.exe
      C:\Windows\{57536F19-E81E-4e66-92E6-040EC0E22222}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2760
    - - C:\Windows\{884927FB-BDCB-453c-8C30-208671463047}.exe
        
        C:\Windows\{884927FB-BDCB-453c-8C30-208671463047}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2648
      - C:\Windows\{5F302518-FB5C-4497-8CD3-0C96BF478078}.exe
        
        C:\Windows\{5F302518-FB5C-4497-8CD3-0C96BF478078}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\{79902250-8758-40ae-A4C0-24E5A47605F6}.exe
        
        C:\Windows\{79902250-8758-40ae-A4C0-24E5A47605F6}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\{20F9410F-C95A-4437-86C9-0BD593CCEFCF}.exe
        
        C:\Windows\{20F9410F-C95A-4437-86C9-0BD593CCEFCF}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\{A5512EF6-9E82-469b-B538-FFDD66866AC2}.exe
        
        C:\Windows\{A5512EF6-9E82-469b-B538-FFDD66866AC2}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2508
        
        C:\Windows\{73207BEC-C7F4-42d7-87E5-064C9EBBEB98}.exe
        
        C:\Windows\{73207BEC-C7F4-42d7-87E5-064C9EBBEB98}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3056
        
        C:\Windows\{6B71F426-8923-4756-BF9C-306DA9A8FF05}.exe
        
        C:\Windows\{6B71F426-8923-4756-BF9C-306DA9A8FF05}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1976
        
        C:\Windows\{2F07866C-93F6-46e6-A229-68A60C705473}.exe
        
        C:\Windows\{2F07866C-93F6-46e6-A229-68A60C705473}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6B71F~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{73207~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A5512~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{20F94~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{79902~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5F302~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:284
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{88492~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2340
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{57536~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2596
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{FB63E~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2792
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{72183~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3016
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2024-0~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{20F9410F-C95A-4437-86C9-0BD593CCEFCF}.exe

Filesize
380KB

MD5
88b18563626dae89d67ab76c91727409

SHA1
969ff70a502bb5d9911d05c0ab2db957acbd607d

SHA256
ca4a5c7c6c18f2803b9beea131725941ce7dc48d8933eb3be9ab7924889b2071

SHA512
0b222d8b78f659386b937376ab9a8198a9aa1d88807c2f682887429a600b4b1587fd57643f31012170bd44317b01193be7cdd0cfc5a3247646b17d1ae9a6a751

Download Submit
C:\Windows\{2F07866C-93F6-46e6-A229-68A60C705473}.exe

Filesize
380KB

MD5
e3dd2cae07322de32a55c648fbd4bc69

SHA1
cfe922dfa7a25bdb35712e2d8524a175284ce162

SHA256
e7e6998276ee0f3627728be06ec13494c35609d3061ad4ca68390bde07ab1749

SHA512
f9a30e7238c5cd6b148c64100b4f80f78515fffdf897f71075bd4906542b45f6c218b72a53a93f1f66f46686f539aa435951c97c6f9103746cd0d1a39fcd2687

Download Submit
C:\Windows\{57536F19-E81E-4e66-92E6-040EC0E22222}.exe

Filesize
380KB

MD5
75b65bb9d70c66786a19d0a8f9d15cd2

SHA1
330f1ac584448d9a55a49a935c174e5a76105560

SHA256
68e17028eee03c37422afa495ab99a6aa4f6448657bc25f94c5067990cfeaf8a

SHA512
ce8ef46b58723df993d8d62ba38c3d0eacf8ca3719442a52a9902c31e8077fccfcc5d62188785419058fca417f37521d6fe5467e738ddf06b99892abe92e567d

Download Submit
C:\Windows\{5F302518-FB5C-4497-8CD3-0C96BF478078}.exe

Filesize
380KB

MD5
362c3b29fdce5dd3f0c39ac87e868878

SHA1
f7737ce1aafa90bdd2aa84baa81154ffe1c5b8cc

SHA256
3294e5bae9623c94c797f49452c66d13927e13cde80a9a1710c7ad0e1a7af6c6

SHA512
d2fb23cc0230cb3125bab7f0cfed8c822abdd3fce97fba635ce6562ebb9f6dfdbcf14991dbe51dbf973d20a4d44676d34a209c400cbab277acd31f8c560de8b2

Download Submit
C:\Windows\{6B71F426-8923-4756-BF9C-306DA9A8FF05}.exe

Filesize
380KB

MD5
b44957395909000fa79f525fa049abda

SHA1
439193cbfb5d6a0d490c5cceb3c40b924dd6f342

SHA256
086815764eb37a04f91a33a76fbcaf8b9a1c9a06887e2489db7fd9372d70de6f

SHA512
15e766096fe82b6bde070b790f33b6b11f410019ddd00c952159dee59193041e08ea6b6e6c7ff2bb830b5ed03c23e69a8abb529a4311742ad6840f171db33143

Download Submit
C:\Windows\{72183D55-91A6-480c-A01D-31275CC5E8B9}.exe

Filesize
380KB

MD5
fb1dcf75c3ff65f256a4bd730f45fdd9

SHA1
35a185bafe890392a1df2abdad7461d8b882dbf0

SHA256
774b3ad27ed4ea7c117d36ea08526a3d5ed13ece918bf1a94bb40aa4941d3407

SHA512
5d528752f9fc6dd506221af61d2027f1b7f27a2c5fc1d914fc5953cbe0f1ce77010c37a77d56f0fe38b2c8c9c407210764c2ca9c54189cb0716e62f46af13f6c

Download Submit
C:\Windows\{73207BEC-C7F4-42d7-87E5-064C9EBBEB98}.exe

Filesize
380KB

MD5
263f9615df83bea22f186a62c8456d6d

SHA1
4966f7560c5318d627ef51227a5fa0de62e285bc

SHA256
70cd53e41b3188b3e4704433737af2d2366f9f57d17ec5e80e947c010609aa0d

SHA512
9262a3d3c74840bea7bafe67b66465aff866845b3d6bb6f0e62ff67b02853a9972a2b85b9b3c2107f5b7c26a15ef334ea9cbbafbc7bcfeb634a463ea041073ba

Download Submit
C:\Windows\{79902250-8758-40ae-A4C0-24E5A47605F6}.exe

Filesize
380KB

MD5
1c393aab4c4aa694df76c175af46ec81

SHA1
781977f2f762842369c33bd39ab858c6e36ee2f3

SHA256
3547340622e4e505b7d17efb68e8807f38916366ce102226459a7ed60140c660

SHA512
cae99321edb2ad06066469e331c2ab2a7e60cf83da8ab68b59c99572d2d26e454d6e77b62356ccc4a8a2397f71336d1877dc91d3166818d508454e6d4a157265

Download Submit
C:\Windows\{884927FB-BDCB-453c-8C30-208671463047}.exe

Filesize
380KB

MD5
d19b8136d0c2491d66ac9c0f2de0cc32

SHA1
90a4d6b34c1c64b9b068bdcbece6de0748e20bf9

SHA256
0311328fbcb6889bc61e43875438d31bc3bf6926d3eb6871548b5c6793c22e49

SHA512
aef8f173e30fe095cd176295ab37b937db506f9d38ed1f0901d3ab3ba2e4a77eb62e390e1e58e6ca64bd0c72ea775aeefc1d49e222e14ff6610bfa66433fbfda

Download Submit
C:\Windows\{A5512EF6-9E82-469b-B538-FFDD66866AC2}.exe

Filesize
380KB

MD5
558fa25147ff4a9fe00f17ac8ea9e3a8

SHA1
d93bdca24a6dee5c0018fe2a49f0ea1584a0aa06

SHA256
f26490a8428576838c5b53b42f9e52253b46c12f951a6e53f59eff7e8a8d1a1e

SHA512
b01eea8b8b49c2a963510032f7fce946374e221221cd6da28b3823c2145fc2b1f65d453dd3ee11d96f38189744be2a12a25910ca286330b9a5e03c3ad530d23a

Download Submit
C:\Windows\{FB63E80B-B4D4-4339-9258-C1E1C484237A}.exe

Filesize
380KB

MD5
f3717cf8987391e14a82b14c37fdaa2f

SHA1
9469992a3e689cea850b5500a90213b82e762cd1

SHA256
f32c831f9947dab1beb5979a73001e771270c547cd7bcb387add5c56cf4f8e08

SHA512
ec76c14fc6beb89a06c1999761b54e2cc60705713871df54099cbbb2f696277d000f786e40e7db1f24b77db0845d46577bbbd5070be1e8ee7dcf8572ffb99a00

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads